Hartmut
01c45d0344
Client-side validators (reset-password, invite-accept, first-admin setup, user-create modal) previously checked password.length < 8 while every server-side Zod schema required .min(12). External API consumers (or a confused browser UI) could get past the client check but fail at the tRPC boundary — or worse, quietly under-enforce policy compared to what admins expect. Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in @capakraken/shared and import them from every pre-submit client validator and every server Zod schema. Single source of truth; drift becomes a compile error rather than a security finding. Also hardens the AUTH_SECRET runtime check: in addition to the existing placeholder-blacklist, production startup now rejects secrets shorter than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which would have passed the previous checks. Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in docs/security-architecture.md §3. Verified: - pnpm test:unit — 396 files / 1922 tests passed - pnpm --filter @capakraken/web exec tsc --noEmit — clean - pnpm --filter @capakraken/api exec tsc --noEmit — clean Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
94 lines
3.2 KiB
TypeScript
94 lines
3.2 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { assertSecureRuntimeEnv, getRuntimeEnvViolations } from "./runtime-env";
|
|
|
|
describe("runtime env validation", () => {
|
|
it("allows non-production environments without auth runtime settings", () => {
|
|
expect(getRuntimeEnvViolations({ NODE_ENV: "development" })).toEqual([]);
|
|
});
|
|
|
|
it("accepts a valid production auth secret and https url", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "super-long-random-secret-with-enough-entropy-abc123",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toEqual([]);
|
|
});
|
|
|
|
it("rejects a missing production auth secret", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
|
|
});
|
|
|
|
it("rejects the development placeholder auth secret in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "dev-secret-change-in-production",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain(
|
|
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
|
|
);
|
|
});
|
|
|
|
it("rejects the CI build-time placeholder that leaks from Dockerfile ARG default", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "ci-build-placeholder-secret-minimum-32-chars",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain(
|
|
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
|
|
);
|
|
});
|
|
|
|
it("rejects an auth secret shorter than the minimum length in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "short-but-random-xyz", // 20 chars
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be at least 32 characters in production.");
|
|
});
|
|
|
|
it("rejects a long-but-low-entropy auth secret in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 38 a's
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain(
|
|
"AUTH_SECRET or NEXTAUTH_SECRET entropy is too low; generate with `openssl rand -base64 32`.",
|
|
);
|
|
});
|
|
|
|
it("rejects non-https auth urls in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "super-long-random-secret-with-enough-entropy-abc123",
|
|
NEXTAUTH_URL: "http://capakraken.example.com",
|
|
}),
|
|
).toContain("AUTH_URL or NEXTAUTH_URL must use https in production.");
|
|
});
|
|
|
|
it("throws with a combined startup error when production env is invalid", () => {
|
|
expect(() =>
|
|
assertSecureRuntimeEnv({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "dev-secret-change-in-production",
|
|
NEXTAUTH_URL: "not-a-url",
|
|
}),
|
|
).toThrow(/Invalid production runtime configuration/);
|
|
});
|
|
});
|